Malware campaign using TeamViewer on websites under IIS
Malwarebytes researchers have observed a malware distribution campaign since the beginning of September that makes use of previously compromised pages running on Microsoft’s Internet Information Services (IIS) web server. The attack vector consists of displaying a fake expired certificate alert such as “Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE.” which, in turn, suggests the user to download a malicious “update installer” that actually obfuscates the known TVRAT trojan. Once the victim executes the malware it will install itself alongside the TeamViewer remote control software, giving the threat actor direct communication with its command and control server and full control over the compromised computer. So far, the specific methods used to compromise IIS servers are not known exactly, although different exploit codes are available and were patched by Microsoft itself last May (CVE-2021-31166).
BulletProofLink: massive phishing campaign
Microsoft security researchers have published details of a massive phishing-as-a-service (PHaaS) campaign that uses a hosting-like infrastructure and offers different services to threat actors, such as phishing kits and templates. According to research, BulletProofLink, as this campaign is called, goes beyond traditional phishing kits, because after an initial registration on its portal for a fee of $800, it offers a comprehensive service with hosting, domain generation, email sending, credential collection and stolen logins, which can then evolve with modifications to phishing templates from among the more than 120 available. However, Microsoft has already warned that BulletProofLink’s operators trick their own customers by storing the stolen credentials from the attacks and then selling them on other underground forums. It is estimated that the campaign has used more than 300K unique newly created subdomains to date, which is evidence of the scale of the impact of this campaign.
All the details: https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/
Microsoft Exchange Autodiscover bug allows exfiltration of credentials
Amiter Serper, security engineer at Guardicore, has discovered a new bug implementation in Autodiscover Microsoft Exchange protocol which could allow credential exfiltration. Autodiscover is a protocol that Microsoft Exchange uses to provide their customers an easy and automatic way to configure the Exchange client and its different applications such as Outlook. Once the client is installed, it requests the username and password and then tries to use Autodiscover in order to build different URLs based on the user email. In case of none of these autogenerate URLs respond, a back-off phase is initiated that tends to fail because it tries to resolve the Autodiscover.TLD part. Serper seeing that whoever owns this Autodiscover.TLD domain would receive all requests that do not reach the original domain. To try the bug, Serper and his team purchased different Autodiscover domains with different TLDs, receiving requests from many customers from multiple industries. After testing, Guardicore reportedly obtained more than 90,000 unique credentials from different applications such as Outlook and more than 350,000 Windows domain credentials, determining that the impact is global.
Learn more: https://www.guardicore.com/labs/autodiscovering-the-great-leak/
New 0-day vulnerability in Apple exploited on iOS and macOS devices
Google security researchers have reported to Apple a new 0-day vulnerability affecting iOS and macOS devices. Also, Apple itself has acknowledged that this flaw may be being actively exploited on the network by threat actors. Specifically, the vulnerability is located in the kernel of the XNU operating system, which has been registered under CVE-2021-30869 and for the moment has not been assigned its criticality under the CVSSv3 scale. However, it should be noted that this is a “type confusion” type bug that can lead to the execution of arbitrary code on a compromised device, so its criticality in any case is considered high. It should be noted that during this year 2021 alone, Apple has already had to resolve more than 10 0-day vulnerabilities. In this case, the corresponding patches that solve the problem are already available for the following affected devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, iPod touch (6th generation) with iOS 12.5.5 and Mac with security update 2021-006 Catalina.
Full info: https://support.apple.com/en-us/HT212824
